OptimismTargetDispenserL2 contract is used by te protocol to receive the messages and tokens from L1 deposit processors contracts and then complete a verification process of staking targets and send the funds to them. However, the contract uses incorrect l1Processor address when receiving the message.
When transactions are sent from L1 to L2 by an Externally Owned Account, the address of the sender of the transaction on L2 will be set to the address of the sender of the transaction on L1. However, the address of the sender of a transaction on L2 will be different if the transaction was triggered by a smart contract on L1.
So the transactions of sending the messages from L1 to L2 are implemented by the smart contract, therefore, the address should be this:
function receiveMessage(bytes memory data) external payable {
// Check for the target dispenser address
address l1Processor = IBridge(l2MessageRelayer).xDomainMessageSender();
// Process the data
_receiveMessage(msg.sender, l1Processor, data);
}
The contract deviates from Optimism docs and uses incorrect sender address (not "aliased" version of L1 sender address).
Tools Used
Manual review.
Recommended Mitigation Steps
Add offset the same way as in ArbitrumTargetDispenserL2 smart contract:
@0xA5DF I think this issue is valid as in the case of Arbitrum the protocol uses correct "aliased" version of L1 sender address. But in the case of Optimism, it's not aliased and it's deviation from Optimism spec
Lines of code
https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/staking/OptimismTargetDispenserL2.sol#L101
Vulnerability details
Impact
OptimismTargetDispenserL2
contract is used by te protocol to receive the messages and tokens from L1 deposit processors contracts and then complete a verification process of staking targets and send the funds to them. However, the contract uses incorrectl1Processor
address when receiving the message.Proof of Concept
According to the Optimism docs:
https://docs.optimism.io/chain/differences
So the transactions of sending the messages from L1 to L2 are implemented by the smart contract, therefore, the address should be this:
However, in the current
OptimismTargetDispenserL2
, it uses the following sender:https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/staking/OptimismTargetDispenserL2.sol#L96-102
The contract deviates from Optimism docs and uses incorrect sender address (not "aliased" version of L1 sender address).
Tools Used
Manual review.
Recommended Mitigation Steps
Add offset the same way as in
ArbitrumTargetDispenserL2
smart contract:https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/staking/ArbitrumTargetDispenserL2.sol#L46-49
Assessed type
Other